6,000,000+ Installed Chrome Extensions Can Execute Remote Commands on User’s Browser

A major security incident has come to light involving more than six million installations of Chrome browser extensions that secretly execute remote commands, track user activity, and potentially expose sensitive information.

John Tuckner of secure Annex have identified at least 35 related extensions, many of which are unlisted in the Chrome Web Store, making them invisible to casual users and difficult for security teams to detect.

The investigation began when security professionals noticed unusual activity from unlisted Chrome extensions—those not indexed by search engines or visible in Web Store searches.

One such extension, “Fire Shield Extension Protection,” claimed to protect users from harmful extensions but was itself found to be highly suspicious.

Despite being unlisted, it had over 300,000 users and requested broad permissions, including access to all web traffic, cookies, browser tabs, and the ability to execute scripts.

Further analysis revealed that “Fire Shield Extension Protection” was just one of a network of 35 extensions exhibiting similar behavior.

These extensions often claimed to offer services like ad blocking, privacy protection, or improved search results, but their actual code was minimal or non-functional.

Deeply Embedded Surveillance Capabilities

The extensions’ manifest files requested permissions far beyond what would be necessary for their stated functions. They could:

• Access and collect all cookies for any domain visited.
• Monitor and track user web activity across all sites.
• Access sensitive browser headers, including ‘Authorization’ and ‘Cookies’.
• Execute scripts retrieved from remote servers within the browser context.
• Open and close browser tabs without user interaction.

Crucially, these extensions featured a remote configuration capability. This allowed their behavior to be altered by commands from external servers, effectively turning the browser into a remotely controlled surveillance tool.

The extensions sent regular “heartbeat” pings to their command servers and could receive updates that expanded their tracking or data collection.

The code in these extensions was heavily obfuscated, making it challenging for analysts to determine the full extent of their capabilities.

Some functions were only activated after receiving specific configurations from remote servers, which could be triggered after a user had been active for a certain period. This delayed activation helped the extensions evade detection during routine security checks.

Investigators also found that some extensions shared identical code patterns and callback domains, further linking them as part of a coordinated operation.

In some cases, the extensions were associated with suspicious company names or privacy policies dating back as far as 2019, indicating a long-running campaign.

The method by which these unlisted extensions achieved millions of installations remains unclear. Theories include distribution through malicious ads, bundling with other unwanted software, or automated installation mechanisms.

Some extensions even received “Featured” status in the Chrome Web Store, which could falsely assure users of their legitimacy.

What Users Should Do

Security experts urge Chrome users to:

• Review and remove any extensions with excessive permissions or unclear purposes.
• Be cautious of extensions requesting access to all websites, cookies, or browsing data.
• Only install extensions from reputable developers with transparent privacy practices.
• Regularly audit installed extensions and remove those no longer needed.

Google has been informed of the extensions and is investigating them further, but users are advised to act immediately to safeguard their privacy and security.

This incident underscores the ongoing risks posed by browser extensions and the need for vigilant extension management.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy

The post 6,000,000+ Installed Chrome Extensions Can Execute Remote Commands on User’s Browser appeared first on Cyber Security News.